Open redirect vulnerability in the clean_param function in lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving an HTTP Referer header that has a substring match with a local URL.

Vulnerable Systems:
*Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1

Immune Systems:
*Moodle through 2.6.11, 2.7.x after 2.7.9, 2.8.x after 2.8.7, and 2.9.x after 2.9.1

A remote authenticated user can modify data on the target system. A remote user can redirect the target user's browser to an arbitrary site. A remote user can conduct cross-site scripting attacks.A remote user can create a specially crafted HTTP referer header that, when loaded by the target user, will redirect the target user's browser to an arbitrary site.